acde86340b9377351d2232a6c3ccbf76a8b7d6e738af5bdec805aa3839755eaf

General

Target

acde86340b9377351d2232a6c3ccbf76a8b7d6e738af5bdec805aa3839755eaf.exe
Size

10.3MB
MD5

3694d46734b4203df329094375dacf60
SHA1

0df75295e96404a9a0ec681c8a3f72da1119e96f
SHA256

acde86340b9377351d2232a6c3ccbf76a8b7d6e738af5bdec805aa3839755eaf
SHA512

077e34ef954c54141f9c552006b723faf3df1a2b54da3bf4d3f3c90d8ebe5eea36ed1020779cdf3541626d0c97b4ec1fdbc1b0870869de249b8ab841bf19691b
SSDEEP

196608:EXCG18XYqsBmiFm4CTqfG+vTiwnDmNQkJM8uDIYnKO37Z:2CG8XD4F3e+biSDcQwM8uDu6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2748	aria2c.exe

Loads dropped DLL 2 IoCs

pid	Process
2256	acde86340b9377351d2232a6c3ccbf76a8b7d6e738af5bdec805aa3839755eaf.exe
2256	acde86340b9377351d2232a6c3ccbf76a8b7d6e738af5bdec805aa3839755eaf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2256	acde86340b9377351d2232a6c3ccbf76a8b7d6e738af5bdec805aa3839755eaf.exe
2256	acde86340b9377351d2232a6c3ccbf76a8b7d6e738af5bdec805aa3839755eaf.exe
2256	acde86340b9377351d2232a6c3ccbf76a8b7d6e738af5bdec805aa3839755eaf.exe
2256	acde86340b9377351d2232a6c3ccbf76a8b7d6e738af5bdec805aa3839755eaf.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2256	acde86340b9377351d2232a6c3ccbf76a8b7d6e738af5bdec805aa3839755eaf.exe
2256	acde86340b9377351d2232a6c3ccbf76a8b7d6e738af5bdec805aa3839755eaf.exe
2256	acde86340b9377351d2232a6c3ccbf76a8b7d6e738af5bdec805aa3839755eaf.exe
2256	acde86340b9377351d2232a6c3ccbf76a8b7d6e738af5bdec805aa3839755eaf.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2256	acde86340b9377351d2232a6c3ccbf76a8b7d6e738af5bdec805aa3839755eaf.exe
2256	acde86340b9377351d2232a6c3ccbf76a8b7d6e738af5bdec805aa3839755eaf.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2748	2256	acde86340b9377351d2232a6c3ccbf76a8b7d6e738af5bdec805aa3839755eaf.exe	30
PID 2256 wrote to memory of 2748	2256	acde86340b9377351d2232a6c3ccbf76a8b7d6e738af5bdec805aa3839755eaf.exe	30
PID 2256 wrote to memory of 2748	2256	acde86340b9377351d2232a6c3ccbf76a8b7d6e738af5bdec805aa3839755eaf.exe	30
PID 2256 wrote to memory of 2748	2256	acde86340b9377351d2232a6c3ccbf76a8b7d6e738af5bdec805aa3839755eaf.exe	30

C:\Users\Admin\AppData\Local\Temp\acde86340b9377351d2232a6c3ccbf76a8b7d6e738af5bdec805aa3839755eaf.exe
"C:\Users\Admin\AppData\Local\Temp\acde86340b9377351d2232a6c3ccbf76a8b7d6e738af5bdec805aa3839755eaf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Roaming\datatemp\aria2c.exe
  "C:\Users\Admin\AppData\Roaming\datatemp\aria2c.exe" --conf-path=C:\Users\Admin\AppData\Roaming\datatemp\aria2.conf #--save-session=C:\Users\Admin\AppData\Roaming\datatemp\aria2.session --input-file=C:\Users\Admin\AppData\Roaming\datatemp\aria2.session --rpc-listen-port=7022 --listen-port=7055 --dht-listen-port=7033 --enable-rpc=true --rpc-allow-origin-all=true --disable-ipv6=false --rpc-secret=123 --enable-dht=true --enable-dht6=true --dht-file-path=C:/Users/Admin/AppData/Roaming/datatemp/dht.dat --dht-file-path6=C:/Users/Admin/AppData/Roaming/datatemp/dht6.dat --bt-external-ip= --stop-with-process=2256
  2⤵
  - Executes dropped EXE
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\datatemp\aria2.conf

Filesize
14KB

MD5
8fe8b7178aba312ef6db32fac969b70c

SHA1
1fa1abee48b1a02fcd8451d82e4b9b606cbfd339

SHA256
9f54938d4bd3febce3a6286c9281dc68a399e5babce42742e09343b12ad31c98

SHA512
5d09499070e5483548b142d226303933fafa310ea3ddd0b1ca582b760528dc846fa0f73bdfb8fb7166c41715377ed110dee3c4c91d3252d0f7a6de5be721aa2e

Download Submit
C:\Users\Admin\AppData\Roaming\datatemp\aria2c.exe

Filesize
73KB

MD5
ac00e670767bed0f484fcd62d1a15dba

SHA1
8c8fe2782f35e1267d64bc0c348983ff5bae0aaf

SHA256
240c3d7ee1181f3d10999cff2b541450324f614a82fb94c4923292d82dcfc861

SHA512
6253e24c60331ff8f0e5b0496b9bb0bba69fad7e86c92055676164f0776b226f473ef54ee22601fa11da622b090d4a782de24b60ffeb43dab7e6cd0248a952d2

Download Submit
\Users\Admin\AppData\Roaming\datatemp\aria2c.exe

Filesize
128KB

MD5
98d854fda7295044cec31e0bd2e491cd

SHA1
15c3c32fa69792bb09007cca210a62746ea9d832

SHA256
61e6413612a873cc4baee4cf6a9a3ec125c696f86a00f1af52f8c65746464344

SHA512
9c749100684b03648605fade3e92f116dbed62de1141a41231847a88be3db267e1e3e2c7d35abe144de3c8151b1522c13e4bb2d06cba697e693b0e004887e9bb

Download Submit
\Users\Admin\AppData\Roaming\datatemp\libcurl.dll

Filesize
44KB

MD5
5f386c1b9892814a8ad7fa46ab420603

SHA1
5b1d220034185f263dae6edfb97ab1847662bbc2

SHA256
ae46a02661ee141c93fcd6039c82442b7a7516c8203edb56182e0ebac82aa83e

SHA512
b1acce6c6b2c82d293e815466e3c617544b3a57e9b7c4301f02d9eaff2fc1c7aa3302356f17d4dcfba902a11b4d04d8ec8105f1940d963c73219f7f37c37f490

Download Submit
memory/2748-25-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2748-27-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download

Analysis

Sharing